syzkaller-repros/linux/6eac9890f5b21f7971b7ebc3dd6124f16ec5444a.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KMSAN: kernel-infoleak in put_cmsg
 // https://syzkaller.appspot.com/bug?id=6eac9890f5b21f7971b7ebc3dd6124f16ec5444a
 // status:fixed
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE
 #include <endian.h>
 #include <linux/futex.h>
 #include <pthread.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <unistd.h>

 struct thread_t {
   int created, running, call;
   pthread_t th;
 };

 static struct thread_t threads[16];
 static void execute_call(int call);
 static int running;

 static void* thr(void* arg)
 {
   struct thread_t* th = (struct thread_t*)arg;
   for (;;) {
     while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE))
       syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0);
     execute_call(th->call);
     __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
     __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE);
     syscall(SYS_futex, &th->running, FUTEX_WAKE);
   }
   return 0;
 }

 static void execute(int num_calls)
 {
   int call, thread;
   running = 0;
   for (call = 0; call < num_calls; call++) {
     for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) {
       struct thread_t* th = &threads[thread];
       if (!th->created) {
         th->created = 1;
         pthread_attr_t attr;
         pthread_attr_init(&attr);
         pthread_attr_setstacksize(&attr, 128 << 10);
         pthread_create(&th->th, &attr, thr, th);
       }
       if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) {
         th->call = call;
         __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
         __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE);
         syscall(SYS_futex, &th->running, FUTEX_WAKE);
         struct timespec ts;
         ts.tv_sec = 0;
         ts.tv_nsec = 20 * 1000 * 1000;
         syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts);
         if (running)
           usleep((call == num_calls - 1) ? 10000 : 1000);
         break;
       }
     }
   }
 }

 uint64_t r[1] = {0xffffffffffffffff};
 void execute_call(int call)
 {
   long res;
   switch (call) {
   case 0:
     res = syscall(__NR_socket, 0xa, 3, 0x3c);
     if (res != -1)
       r[0] = res;
     break;
   case 1:
     *(uint16_t*)0x20000300 = 0xa;
     *(uint16_t*)0x20000302 = htobe16(0);
     *(uint32_t*)0x20000304 = 0;
     *(uint64_t*)0x20000308 = htobe64(0);
     *(uint64_t*)0x20000310 = htobe64(1);
     *(uint32_t*)0x20000318 = 0;
     syscall(__NR_connect, r[0], 0x20000300, 0x1c);
     break;
   case 2:
     *(uint64_t*)0x200000c0 = 0;
     *(uint32_t*)0x200000c8 = 0;
     *(uint64_t*)0x200000d0 = 0x20000200;
     *(uint64_t*)0x200000d8 = 0;
     *(uint64_t*)0x200000e0 = 0x20000140;
     *(uint64_t*)0x200000e8 = 0;
     *(uint32_t*)0x200000f0 = 0;
     syscall(__NR_sendmsg, r[0], 0x200000c0, 0xc100);
     break;
   case 3:
     *(uint32_t*)0x20000400 = 0x398;
     syscall(__NR_setsockopt, r[0], 0x29, 0x4a, 0x20000400, 4);
     break;
   case 4:
     *(uint64_t*)0x200004c0 = 0x20000040;
     *(uint32_t*)0x200004c8 = 0x80;
     *(uint64_t*)0x200004d0 = 0x20000400;
     *(uint64_t*)0x200004d8 = 0;
     *(uint64_t*)0x200004e0 = 0x20000480;
     *(uint64_t*)0x200004e8 = 0x28;
     *(uint32_t*)0x200004f0 = 0;
     syscall(__NR_recvmsg, r[0], 0x200004c0, 0);
     break;
   case 5:
     *(uint64_t*)0x20000a40 = 0;
     *(uint32_t*)0x20000a48 = 0;
     *(uint64_t*)0x20000a50 = 0x20000100;
     *(uint64_t*)0x20000100 = 0x20000500;
     memcpy(
         (void*)0x20000500,
         "\xd0\x9a\x0e\x63\xc9\x47\x62\x88\xb6\x71\xaf\xdb\xd5\x3a\x59\x94\xe1"
         "\x37\x38\x1f\x62\x02\x1d\x19\x51\xb6\x27\xb8\xdd\xa5\x7a\x5d\x17\xd7"
         "\x44\x64\x8c\x81\xc5\x70\x3e\xd8\x14\x6a\xb1\xb0\x17\x1f\x89\x09\x1b"
         "\x1d\xd3\x23\x8d\x03\xdb\xb6\x86\xdf\x46\x09\x63\x24\x5d\xed\xf2\x01"
         "\x3e\xe5\x55\xaf\x99\x49\x9e\x44\xad\x42\x0d\xbf\x65\xfd\x46\xfb\xc9"
         "\x9a\x12\x74\x42\x9e\x2d\x57\x83\x75\x18\x15\x82\x8e\xc8\xcb\x35\x53"
         "\x11\x0c\xca\x66\x46\x02\x15\x35\x3d\x19\xf6\xd8\xbb\xd8\xfb\x26\x4e"
         "\xdd\xea\x60\xb1\x8e\x16\xc3\x1a\xa5\xe2\x00\x00\x04\x91\x63\x4a\xc2"
         "\xfd\x10\xe2\xcd\x30\xbc\xd7\xfe\xde\x24\x26\x3a\x7f\xff\x16\xe5\x3e"
         "\xa2\x93\xf3\x55\x1b\x71\x47\xc3\x3a\x44\xea\x43\x7f\xb1\x51\x5c\x3e"
         "\x8d\x4f\x16\x2f\xde\xbf\x8e\xbe\x11\xae\x6f\xcd\x93\x72\xc8\xd8\xf1"
         "\x95\x56\xae\x09\x1f\xe9\x42\x15\xae\x94\x34\xda\x41\x2f\x6f\xa4\xcb"
         "\x65\x61\xe5\xf7\x8f\xf9\x70\x78\x44\xee\x5d\x57\x3f\xb2\x94\x43\x77"
         "\x22\xd9\xa0\x6d\xfa\x61\x74\x8c\x32\xc7\x3d\x75\x99\x33\xa8\xdd\x34"
         "\x4c\x94\x7d\x3e\xfd\xbe\x90\xd0\xeb\x04\x9d\xf5\xfb\xb0\xc1\x9f\x67"
         "\x85\x26\x4b\x61\x9c\x53\x0d\x97\x39\x5d\x44\xb0\x4f\x7e\x2a\x28\x0d"
         "\x65\x8c\x78\x71\xad\x37\x3b\x79\x26\x78\xc4\x92\x27\x99\x96\x51\xef"
         "\x3b\x2e\xe1\xbc\x2b\x8f\x30\x35\xdb\x37\x6e\x8e\x09\xaa\x38\x37\x23"
         "\x3c\x87\x13\x06\x5a\x8a\xd1\x31\xd2\x4f\x6c\x42\xa3\x22\x0d\x0e\x07"
         "\xc3\xd3\xe9\x5d\x59\xa5\xdd\x10\xc0\x97\x16\xb5\xf8\x74\xec\xf5\x3a"
         "\xad\xfa\x50\x50\xff\x40\xf2\xc3\xc4\xa6\x29\xb6\x44\x5e\x58\x36\x10"
         "\x0a\xff\xf5\xa8\x97\x75\x83\x65\x3b\x40\xca\x31\x6f\x8f\x11\x41\x6e"
         "\x5c\x1b\xd5\x49\x96\x36\xdd\xae\x25\xfc\x49\x70\xb3\x72\x09\xcf\x5c"
         "\x0b\xf8\xe4\x32\x16\x0c\x25\x8d\x14\x22\x3b\xaa\x52\x79\x8e\x09\x85"
         "\x86\x45\x77\x3d\xd9\x7e\x68\xa9\x53\x10\x72\x71\x3c\xff\x07\x7b\x2e"
         "\x73\xe0\x3e\xd4\xf1\x45\xe9\x19\x9c\x12\x6a\x7f\x23\x5e\x56\x74\xa3"
         "\xc7\xf5\xc7\x12\x9a\xc7\xc1\xa3\x31\x95\x90\x24\x9b\x6d\x34\xef\x6c"
         "\x3d\x8b\x94\xc6\xfc\x7c\xdc\xbd\xdb\x05\x32\x43\x05\x3f\x7b\xc1\xf2"
         "\x30\xd3\xbc\x7d\xfc\x43\x59\xe3\x39\x92\xd0\xa3\x94\x6b\x91\x4a\x09"
         "\x32\x87\xa7\x6a\xc4\xa2\x49\xb5\xb8\x6c\xc7\x54\x76\x46\x6e\x40\x95"
         "\x53\x35\x5f\xef\xab\x75\xe9\x26\x8a\x87\x51\xff\xc9\x48\x1f\xcf\xf1"
         "\xf4\x9c\x47\x56\x99\x59\x5b\x31\x5e\x21\x47\xee\xbe\x8b\x72\x91\x60"
         "\x0c\x6b\x1c\xf7\xc8\xf2\x4d\x58\x7b\x94\x64\xa6\x7e\x5c\xce\xc1\x78"
         "\x20\xe7\x11\xb9\x8f\x4f\x7d\x50\x53\x64\x20\x68\xa3\xff\xf7\x04\xc3"
         "\xfe\x35\xba\x86\x2b\x53\xe2\x62\x2d\x6e\x8b\x4a\x4c\x81\x5f\xb2\xea"
         "\x90\xef\x63\xe1\x41\x20\x9d\xd2\x92\x54\xe5\xab\x5b\xde\x9c\x68\x57"
         "\xb3\xcb\x18\x45\x86\x04\x9e\x77\x41\xb2\xd8\xb5\xb1\xa1\x9e\x99\xe1"
         "\x83\x4a\x25\x95\x91\x55\x72\x0c\x1c\x0e\xf8\x4d\x9d\x3c\x42\xe1\xba"
         "\x28\x28\x47\xd4\x76\xce\xf0\x22\x8b\x14\x22\xab\xa0\x8e\x5f\x3c\x1c"
         "\xd2\x79\xbb\xd1\xc5\x30\x3c\x2e\x9c\x16\xa0\xda\x4f\x88\xf7\x70\xfc"
         "\xa1\x18\xb0\x9e\x92\xb5\x1a\x33\x97\x0e\x32\xad\xe0\xc7\x4e\xee\x1b"
         "\x31\xa4\x20\xd7\x91\x4c\x9d\x75\xdb\x25\x85\x5a\xe3\x27\x98\xed\xc1"
         "\xb4\x7e\x0f\x0f\x88\x42\x9b\x2b\x60\xae\x63",
         725);
     *(uint64_t*)0x20000108 = 0x2d5;
     *(uint64_t*)0x20000a58 = 1;
     *(uint64_t*)0x20000a60 = 0x20003b40;
     *(uint64_t*)0x20000a68 = 0;
     *(uint32_t*)0x20000a70 = 0;
     syscall(__NR_sendmsg, r[0], 0x20000a40, 0);
     break;
   }
 }

 void loop()
 {
   execute(6);
 }

 int main()
 {
   syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
   loop();
   return 0;
 }
	// KMSAN: kernel-infoleak in put_cmsg
	// https://syzkaller.appspot.com/bug?id=6eac9890f5b21f7971b7ebc3dd6124f16ec5444a
	// status:fixed
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE
	#include <endian.h>
	#include <linux/futex.h>
	#include <pthread.h>
	#include <stdint.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <unistd.h>

	struct thread_t {
	int created, running, call;
	pthread_t th;
	};

	static struct thread_t threads[16];
	static void execute_call(int call);
	static int running;

	static void* thr(void* arg)
	{
	struct thread_t* th = (struct thread_t*)arg;
	for (;;) {
	while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE))
	syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0);
	execute_call(th->call);
	__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
	__atomic_store_n(&th->running, 0, __ATOMIC_RELEASE);
	syscall(SYS_futex, &th->running, FUTEX_WAKE);
	}
	return 0;
	}

	static void execute(int num_calls)
	{
	int call, thread;
	running = 0;
	for (call = 0; call < num_calls; call++) {
	for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) {
	struct thread_t* th = &threads[thread];
	if (!th->created) {
	th->created = 1;
	pthread_attr_t attr;
	pthread_attr_init(&attr);
	pthread_attr_setstacksize(&attr, 128 << 10);
	pthread_create(&th->th, &attr, thr, th);
	}
	if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) {
	th->call = call;
	__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
	__atomic_store_n(&th->running, 1, __ATOMIC_RELEASE);
	syscall(SYS_futex, &th->running, FUTEX_WAKE);
	struct timespec ts;
	ts.tv_sec = 0;
	ts.tv_nsec = 20 * 1000 * 1000;
	syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts);
	if (running)
	usleep((call == num_calls - 1) ? 10000 : 1000);
	break;
	}
	}
	}
	}

	uint64_t r[1] = {0xffffffffffffffff};
	void execute_call(int call)
	{
	long res;
	switch (call) {
	case 0:
	res = syscall(__NR_socket, 0xa, 3, 0x3c);
	if (res != -1)
	r[0] = res;
	break;
	case 1:
	(uint16_t)0x20000300 = 0xa;
	(uint16_t)0x20000302 = htobe16(0);
	(uint32_t)0x20000304 = 0;
	(uint64_t)0x20000308 = htobe64(0);
	(uint64_t)0x20000310 = htobe64(1);
	(uint32_t)0x20000318 = 0;
	syscall(__NR_connect, r[0], 0x20000300, 0x1c);
	break;
	case 2:
	(uint64_t)0x200000c0 = 0;
	(uint32_t)0x200000c8 = 0;
	(uint64_t)0x200000d0 = 0x20000200;
	(uint64_t)0x200000d8 = 0;
	(uint64_t)0x200000e0 = 0x20000140;
	(uint64_t)0x200000e8 = 0;
	(uint32_t)0x200000f0 = 0;
	syscall(__NR_sendmsg, r[0], 0x200000c0, 0xc100);
	break;
	case 3:
	(uint32_t)0x20000400 = 0x398;
	syscall(__NR_setsockopt, r[0], 0x29, 0x4a, 0x20000400, 4);
	break;
	case 4:
	(uint64_t)0x200004c0 = 0x20000040;
	(uint32_t)0x200004c8 = 0x80;
	(uint64_t)0x200004d0 = 0x20000400;
	(uint64_t)0x200004d8 = 0;
	(uint64_t)0x200004e0 = 0x20000480;
	(uint64_t)0x200004e8 = 0x28;
	(uint32_t)0x200004f0 = 0;
	syscall(__NR_recvmsg, r[0], 0x200004c0, 0);
	break;
	case 5:
	(uint64_t)0x20000a40 = 0;
	(uint32_t)0x20000a48 = 0;
	(uint64_t)0x20000a50 = 0x20000100;
	(uint64_t)0x20000100 = 0x20000500;
	memcpy(
	(void*)0x20000500,
	"\xd0\x9a\x0e\x63\xc9\x47\x62\x88\xb6\x71\xaf\xdb\xd5\x3a\x59\x94\xe1"
	"\x37\x38\x1f\x62\x02\x1d\x19\x51\xb6\x27\xb8\xdd\xa5\x7a\x5d\x17\xd7"
	"\x44\x64\x8c\x81\xc5\x70\x3e\xd8\x14\x6a\xb1\xb0\x17\x1f\x89\x09\x1b"
	"\x1d\xd3\x23\x8d\x03\xdb\xb6\x86\xdf\x46\x09\x63\x24\x5d\xed\xf2\x01"
	"\x3e\xe5\x55\xaf\x99\x49\x9e\x44\xad\x42\x0d\xbf\x65\xfd\x46\xfb\xc9"
	"\x9a\x12\x74\x42\x9e\x2d\x57\x83\x75\x18\x15\x82\x8e\xc8\xcb\x35\x53"
	"\x11\x0c\xca\x66\x46\x02\x15\x35\x3d\x19\xf6\xd8\xbb\xd8\xfb\x26\x4e"
	"\xdd\xea\x60\xb1\x8e\x16\xc3\x1a\xa5\xe2\x00\x00\x04\x91\x63\x4a\xc2"
	"\xfd\x10\xe2\xcd\x30\xbc\xd7\xfe\xde\x24\x26\x3a\x7f\xff\x16\xe5\x3e"
	"\xa2\x93\xf3\x55\x1b\x71\x47\xc3\x3a\x44\xea\x43\x7f\xb1\x51\x5c\x3e"
	"\x8d\x4f\x16\x2f\xde\xbf\x8e\xbe\x11\xae\x6f\xcd\x93\x72\xc8\xd8\xf1"
	"\x95\x56\xae\x09\x1f\xe9\x42\x15\xae\x94\x34\xda\x41\x2f\x6f\xa4\xcb"
	"\x65\x61\xe5\xf7\x8f\xf9\x70\x78\x44\xee\x5d\x57\x3f\xb2\x94\x43\x77"
	"\x22\xd9\xa0\x6d\xfa\x61\x74\x8c\x32\xc7\x3d\x75\x99\x33\xa8\xdd\x34"
	"\x4c\x94\x7d\x3e\xfd\xbe\x90\xd0\xeb\x04\x9d\xf5\xfb\xb0\xc1\x9f\x67"
	"\x85\x26\x4b\x61\x9c\x53\x0d\x97\x39\x5d\x44\xb0\x4f\x7e\x2a\x28\x0d"
	"\x65\x8c\x78\x71\xad\x37\x3b\x79\x26\x78\xc4\x92\x27\x99\x96\x51\xef"
	"\x3b\x2e\xe1\xbc\x2b\x8f\x30\x35\xdb\x37\x6e\x8e\x09\xaa\x38\x37\x23"
	"\x3c\x87\x13\x06\x5a\x8a\xd1\x31\xd2\x4f\x6c\x42\xa3\x22\x0d\x0e\x07"
	"\xc3\xd3\xe9\x5d\x59\xa5\xdd\x10\xc0\x97\x16\xb5\xf8\x74\xec\xf5\x3a"
	"\xad\xfa\x50\x50\xff\x40\xf2\xc3\xc4\xa6\x29\xb6\x44\x5e\x58\x36\x10"
	"\x0a\xff\xf5\xa8\x97\x75\x83\x65\x3b\x40\xca\x31\x6f\x8f\x11\x41\x6e"
	"\x5c\x1b\xd5\x49\x96\x36\xdd\xae\x25\xfc\x49\x70\xb3\x72\x09\xcf\x5c"
	"\x0b\xf8\xe4\x32\x16\x0c\x25\x8d\x14\x22\x3b\xaa\x52\x79\x8e\x09\x85"
	"\x86\x45\x77\x3d\xd9\x7e\x68\xa9\x53\x10\x72\x71\x3c\xff\x07\x7b\x2e"
	"\x73\xe0\x3e\xd4\xf1\x45\xe9\x19\x9c\x12\x6a\x7f\x23\x5e\x56\x74\xa3"
	"\xc7\xf5\xc7\x12\x9a\xc7\xc1\xa3\x31\x95\x90\x24\x9b\x6d\x34\xef\x6c"
	"\x3d\x8b\x94\xc6\xfc\x7c\xdc\xbd\xdb\x05\x32\x43\x05\x3f\x7b\xc1\xf2"
	"\x30\xd3\xbc\x7d\xfc\x43\x59\xe3\x39\x92\xd0\xa3\x94\x6b\x91\x4a\x09"
	"\x32\x87\xa7\x6a\xc4\xa2\x49\xb5\xb8\x6c\xc7\x54\x76\x46\x6e\x40\x95"
	"\x53\x35\x5f\xef\xab\x75\xe9\x26\x8a\x87\x51\xff\xc9\x48\x1f\xcf\xf1"
	"\xf4\x9c\x47\x56\x99\x59\x5b\x31\x5e\x21\x47\xee\xbe\x8b\x72\x91\x60"
	"\x0c\x6b\x1c\xf7\xc8\xf2\x4d\x58\x7b\x94\x64\xa6\x7e\x5c\xce\xc1\x78"
	"\x20\xe7\x11\xb9\x8f\x4f\x7d\x50\x53\x64\x20\x68\xa3\xff\xf7\x04\xc3"
	"\xfe\x35\xba\x86\x2b\x53\xe2\x62\x2d\x6e\x8b\x4a\x4c\x81\x5f\xb2\xea"
	"\x90\xef\x63\xe1\x41\x20\x9d\xd2\x92\x54\xe5\xab\x5b\xde\x9c\x68\x57"
	"\xb3\xcb\x18\x45\x86\x04\x9e\x77\x41\xb2\xd8\xb5\xb1\xa1\x9e\x99\xe1"
	"\x83\x4a\x25\x95\x91\x55\x72\x0c\x1c\x0e\xf8\x4d\x9d\x3c\x42\xe1\xba"
	"\x28\x28\x47\xd4\x76\xce\xf0\x22\x8b\x14\x22\xab\xa0\x8e\x5f\x3c\x1c"
	"\xd2\x79\xbb\xd1\xc5\x30\x3c\x2e\x9c\x16\xa0\xda\x4f\x88\xf7\x70\xfc"
	"\xa1\x18\xb0\x9e\x92\xb5\x1a\x33\x97\x0e\x32\xad\xe0\xc7\x4e\xee\x1b"
	"\x31\xa4\x20\xd7\x91\x4c\x9d\x75\xdb\x25\x85\x5a\xe3\x27\x98\xed\xc1"
	"\xb4\x7e\x0f\x0f\x88\x42\x9b\x2b\x60\xae\x63",
	725);
	(uint64_t)0x20000108 = 0x2d5;
	(uint64_t)0x20000a58 = 1;
	(uint64_t)0x20000a60 = 0x20003b40;
	(uint64_t)0x20000a68 = 0;
	(uint32_t)0x20000a70 = 0;
	syscall(__NR_sendmsg, r[0], 0x20000a40, 0);
	break;
	}
	}

	void loop()
	{
	execute(6);
	}

	int main()
	{
	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
	loop();
	return 0;
	}